The Internet Protocol (IP) is the most widely used communications protocol.Because it is the most pervasive communication technology, it is the focus ofhundreds of thousands of IT professionals like you. Because so many people relyon the protocol, the safety of communications is top of mind. The security researchthat is performed on IP is conducted by both benevolent and malevolent people.All the security research has caused many patches and adjustments to IP, as it hasbeen deployed internationally. In hindsight, it would have been better if deeperconsideration were given to the security of the protocol before it was extensivelydeployed.

This book provides you with insight into the security ramifications of a newversion of IP and provides guidance to avoid issues prior to deployment. Thischapter provides a brief background on this next version of IP, IPv6. You learnwhy it is important to consider the security for IPv6 before its wide-scaledeployment. A review of the current risks and industry knowledge of thevulnerabilities is provided, as well as the common ways that IPv6 can be secured.

Reintroduction to IPv6

The Internet EngineeringTask Force(IETF) is the organization that is responsiblefor defining the Internet Protocol standards. When the IETF developed IPv4, theglobal expansion of the Internet and the current Internet security issues were notanticipated. In IPv4’s original design, network security was only given minorconsideration. In the 1980s, when IPv4 was developing, the “Internet” wasconstructed by a setof cooperative organizations. As IPv4 was developed and theInternet explosion took place in the 1990s, Internet threats became prolific. If thecurrent environment of Internet threats could have been predicted when IPv4 was

3

being developed, the protocol would have had more security measuresincorporated into its design.

In the early 1990s, the IETF realized that a new version of IP would be needed,and the Task Force started by drafting the new protocol’s requirements. IP NextGeneration (IPng)was created, which then became IPv6 (RFC 1883).IPv6 is thesecond network layer standard protocol that follows IPv4 for computercommunications across the Internet and other computer networks. IPv6 offersseveral compelling functions and is really the next step in the evolution of theInternet Protocol. These improvements came in the form of increased address size,a streamlined header format, extensible headers, and the abilityto preserve theconfidentiality and integrity of communications. The IPv6 protocol was then fullystandardized at the end of 1998 in RFC 2460, which defines the header structure.IPv6 is now ready to overcome many of the deficiencies in thecurrent IPv4protocol and to create new ways of communicating that IPv4 cannot support.

IPv6provides several improvements over its predecessor. The advantages of IPv6are detailed in many other books on IPv6. However, the following list summarizesthe characteristics of IPv6 and the improvements it can deliver:

•

Larger address space:

Increased address size from 32 bits to 128 bits

•

Streamlined protocol header:

Improves packet-forwarding efficiency

•

Stateless autoconfiguration:

The ability for nodes to determine their ownaddress

•

Multicast:Increased use of efficient one-to-many communications

•

Jumbograms:Theability to have very large packet payloads for greaterefficiency

Duringthe development of IPv6, one of the requirements was that this newprotocol must have flexible transition mechanisms. It should be easy to transitionto this new protocol gradually, over many years. Because it was evident that IPv6would become very popular, the transition would need to be slow and methodical.

Running both IPv4 and IPv6 at the same time, calleddual stack, is one of theprimary transition strategies. This concept describes the scenario in which a routersupports two or more different routed protocols and forwards each type of traffic,independent of the behavior of the other routed protocol. Seasoned networkengineers will recall the concept of “ships-in-the-night routing.” This term refersto the fact that packets from either protocol canpass by each other withoutaffecting each other or having anything to do with each other. Because “dualstacking” can be a dominant migration strategy, running a network with bothprotocols can open that network to attacks on both protocols. Attacks can alsoevolve that leverage a combination of vulnerabilities in IPv4 and IPv6.

Inaddition to dual stack, the transition to IPv6 involves various types of tunnelingapproaches where IPv6 is carried over IPv4 networks that have yet to migrate toIPv6. There will likely be attacks on the transition mechanisms themselves to gainaccess to either the IPv4 or IPv6 portions of a network. The security of IPv6systems must be assessed before IPv6 is permitted to be enabled on current andfuture networks and systems.

BecauseIPv6 and IPv4 are bothnetwork layer protocols, many of the networklayer vulnerabilities are therefore similar. However, because the protocol layersabove and below the IP layer remain the same for either IP version, many of thoseattacks will not change. Because the two protocols are related, the similaritiesbetween the protocols can create similar attack patterns. IPv6 could improvesecurity in some areas, but in other areas, it could also open new threats. Chapter2, “IPv6 Protocol Security Vulnerabilities,” focuses on theattacks against the IPv6protocol itself and describes ways to protect against them.

IPv6 has continued to evolve since December 1998, when the IETF published RFC2460. As the number of available IPv4 public addresses has reduced, IPv6 hasbecome more attractive. In fact, IPv6 is the only viable solution to this IP addressdepletion problem. Many of the problems in current IPv4 networks relate toaddress conservation. For example, perpetuating the use of Network Address

Today, the identity of users on the Internet is often unknown, and this has createdan environment where attackers can easily operate. The use of anonymizer toolssuch as Tor and open proxies and the use of NAT allow users to hide their sourceIP addresses and allow hackers to operate without their targets knowing muchabout the source of themessages. NAT is often misunderstood as a securityprotection measure because it hides the internal addresses and thus obfuscates theinternal network topology. Many network administrators feel a false sense ofsecurity and put too much faith in NAT. NATbreaks the use of the full end-to-endcommunication model that IP Security (IPsec) needs to be fully effective. Thefirewalls that perform the NAT function have difficulty maintaining the NAT stateduring failover. Troubleshooting application traffic thatflows through a NAT isoften difficult. When using IPv6, the use of NAT is not necessary because of thelarge amount of addresses available. Each node has its own unique address, and itcan use that address for internal and external communications.

After the core, distribution, and access layers are dual-stack enabled, the computersystems themselves can be IPv6 enabled. After this takes place, the systemadministrators can start to enable IPsec tunnels between IPv6-enabled nodes toprovide confidentialityand the integrity of the communications between systems.This provides a greater level of security over current unencrypted IPv4implementations. IPsec deployments utilizing both authentication and encryptionare rarely used today for computer-to-computercommunication. Today thecommon method of using IPsec only encrypts the payload in tunnel mode becausethe NATs that are in place prevent authenticating the header. However,communications between critical systems can optionally be secured with IPv6IPsec,using both authentication and encryption. Chapter 8, “IPsec and SSL VirtualPrivate Networks,” provides further details on how to secure IPv6communications. IPv6 can uniquely provide this clear end-to-end securecommunication because NAT is not needed when IPv6 can provide every nodewith a globally unique IP address.

IPv6 Update

IPv6is becoming a reality. The many years of early protocol research have paiddividends with products that easily interoperate. Several early IPv6 researchgroups have disbanded because the protocol is starting to move into thetransitionphase. The 6BONE(phased out with RFC 3701) and the KAME

(http://www.kame.net) IPv6 research and development projects have wound down6

Chapter :

and given way to more IPv6 products from a wide variety of vendors. Deploymentof IPv6 is not a question of if but when. IPv6 is an eventuality.

The transition to IPv6 continues to take place around the world. The protocol isgaining popularity and is being integrated into more products. Thereare manyIPv6-capable operating systems on the market today. Linux, BSD, Solaris,Microsoft Vista, and Microsoft Server 2008 operating systems all have their IPv6stacks enabled by default, and IPv6 operates as the preferred protocol stack. Ofcourse,Cisco equipment fully supports dual-stack configuration, and the numberof IPv6 features within IOS devices continues to grow. However, the productionuse of IPv6 is still in the domain of the early adopters.

Therate ofIPv6 adoption is growing but is also unpredictable. The timeline for thedeployment of IPv6 is long and difficult to measure. Generally speaking, thetransition to IPv6 has thus far been based on geography and politics. The Asianand European regions thatdid not have as many allocated IPv4 addresses have feltthe pressure to transition to IPv6. While organizations in North America havemore IPv4 addresses, the address-depletion effects are making the migration toIPv6 more urgent. The market segments thatare focused on IPv6 are few and farbetween. There are few IPv6-specific applications that appeal to enterprises,service providers, and consumers that make them want to transition sooner. Somevertical markets such as government and defense, public sector, education, videodistribution, and high tech are starting to see the benefits of IPv6 and are workingon their transition plans.

There are still many areas of IPv6 where issues remain to be resolved. One of theremaining challenges for IPv6 is that few IPv6 service providersexist. Currently,Internet IPv6 traffic is still light compared to IPv4, but it continues to grow. Thiscan be attributed to the lack of last-mile IPv6 access and customer premisesequipment (CPE) that does not support IPv6. Multihoming, which is the concept ofconnecting to multiple service providers for redundancy, is an issue that will takesome time to resolve, but it is doubtful that it is significantly holding backorganizations from deploying IPv6. Hardware acceleration for IPv6 is notuniversal, and many applications lack IPv6 support. Just like the deployment ofother networking technologies, network management and security are left to theend. The goal of this book is to raise awareness of the security issues related toIPv6 and to provide methods to secure the protocol before deployment.

IPv6 Vulnerabilities

IPv6will eventually be just as popular as IPv4, if not more so. Over the nextdecade as IPv6 is deployed, the number of systems it is deployed on will surpassthose on IPv4. While early adopters can help flesh out the bugs, there are still

7

many issues to resolve. IPv6 implementationsare relatively new to the market, andthe software that has created these systems has not been field tested as thoroughlyas their IPv4 counterparts. There is likely to be a period of time where defects willbe found, and vendors will need to respond quickly to patching their bugs. Manygroups are performing extensive testing of IPv6, so they hopefully can find manyof the issues before it is time to deploy IPv6. However, all the major vendors of ITequipment and software have published vulnerabilitiesin their IPv6implementations. Microsoft, Juniper, Linux, Sun, BSD, and even Cisco all havepublished vulnerabilities in their software. As IPv6 has been adopted, it is evidentthat these major vendors have drawn the attention of the hackers.

The early adoptersof IPv6 technology are encouraged to tread lightly and makesure that security is part of their transition plans. There are distinct threats of

running IPv6 on a network without any security protection measures. Someoperating systems can run both protocols at the same time without the user’sintervention. These operating systems might also try to connect to the IPv6Internet without explicit configuration by the user. If users are not aware of thisfact and there is no security policy or IPv6 security protections implemented, theyare running the risk of attack. IPv6 can be used as a “backdoor protocol” becausemany security systems only secure IPv4 and ignore IPv6 packets. For thesereasons, it is important to secure IPv6 before it is widely deployed.

Whenyou consider the ways that an IPv4 or IPv6 network can be compromised,there are many similarities. Attacksagainst networks typically fall within one ofthe following common attack vectors:

respondents suffered from insider abuse of network access. This percentagehistorically has been lower in the mid-to late 1990s and has risen steadily eachyear. So the percentage of internal attack sources is likely to be even higher today.Those internal sources of attacks could either be a legitimate hacker or anunknowing end user. The key issue is that most organizations do not spend 50percent of their security budget on mitigating inside threats. Therefore, external aswell as internal devices must be hardened equally well but not necessarily against

the same types of attacks.

One disadvantage of both IP versions is the fact that the signaling of networkreachability informationtakes place in the same medium as the user traffic.Routing protocols perform their communication in-band, and that increases therisks to infrastructure destabilization attacks. The threat mentioned here is that usertraffic can affect the protocol-signaling information to destabilize the network.Protections against these types ofattacks involve securing the signalingcommunications between network devices. IPv6 routing protocols can useencryption and authentication to secure the signaling information, even if it istransported inside the data path. Domain Name System (DNS) is another keyinfrastructure component that provides important signaling functions for IPv4 andIPv6. As seen over the past ten years, there is an increase in the number of attacksthat target the infrastructure and DNS of the Internet and private networks. The

attacks aim to create a denial of service (DoS), which affects the usability of theentire network.

Attacks against network elements typically come from the Internet for perimeter-based devices, while attacks on intranetdevices originate from malicious insiders.Most internal routers have simple protection mechanisms like simple passwordsand Simple Network Management Protocol (SNMP) community strings. Ease ofmanagement typically outweighs security in most enterprise networks. Internetrouters do not enjoy this friendly environment, and they are constantly susceptibleto many different forms of attack.

Routersare not usually capable of running traditional server software or otherapplications that can have vulnerabilities. However, they can be the target of abuffer overflow, where the attacker attempts to send information to the router tooverrun an internal memory buffer. The side effects can be anything from erraticbehavior to a software crash or gaining remote access. Any software that the routerruns could be vulnerable, and any protocol supported and implemented within thatsoftware for communications to other devices is at risk for potential exploitation.Routers communicate over many different protocols, and each of those protocols isa potential target.

9

Hacker Experience

Asmentioned before, there is a lack of IPv6 deployment experience in theindustry. There is also a lack of experience in securing an IPv6 network. That iswhy it is important to understand the issues with IPv6 and prepare your defenses.This should be done before IPv6networks become a larger target for hackers. Notmany IPv6 attacks exist or are publicly known, and there are few best practices forIPv6 security or reference security architectures for IPv6. However, a select fewsophisticated hackers already use IPv6 for Internet Relay Chat (IRC) channels andback doors for their tools. Some DoS attacks are available and one IPv6 wormalready exists, but there is little information available on new IPv6 attacks. It isfair to say that the current IPv6 Internet is not a big target for hackers. This islikely to change as the number of IPv6-connected organizations grows.

As IPv6 becomes more popular, it will continue to grow as a target of attacks, justas Microsoft software became more popular it became a larger target. InternetExplorer is a dominant web browser and experiences many attacks. As the Firefoxweb browser increased in popularity, so did the number of people working to findflaws in it. IPv6 will follow the same course as the number of deploymentsincreases andit becomes a focus of new security research. The process of findingand correcting vulnerabilities will only make IPv6 stronger. However, becauseIPv6 has had so long to develop prior to mass adoption, the hope is that many ofthe early vulnerabilities have already been corrected.

The underground hacker community has started exploring IPv6. IPv6 is beginningto be well understood by these groups, and they are constructing tools thatleverage weaknesses in the protocol and IPv6 stack implementations. Back doorsthat utilize IPv6 or IPv6 within IPv4 to obscure attacks and bypass firewalls arepart of their repertoire. In fact, IPv6 capabilities have started to be added to severalpopular hacker tools.

Many of these IPv6 attack tools are already available andrelatively easy to installand operate. Tools such as Scapy6 and the Hacker’s Choice IPv6 Toolkit come tomind. These two tools are demonstrated in Chapter 2, which describes how theseand other tools operate and discusses what risk they pose. This book illustrates thethreats against IPv6 networks and describes how you can apply protectionmeasures to neutralize these attacks.

NOTE

Throughoutthis book, you will see the termsattacker,hacker, andmiscreantusedinterchangeably to refer to malevolent forces that try to take advantage of IPv6vulnerabilities. Attacks can be initiated by an outsider such as amalicious userorsomemalicious hostthat has been compromised and is being remotely controlled.10

Chapter :

However, attacks also can be carried out by unknowing insiders who are not awarethat they have just caused a problem.

IPv6 Security Mitigation Techniques

IPv6security architectures are not substantially different from those for IPv4.Organizations can still have the same network topologies when they transition toIPv6 as they have today. The network can still support the organization’s mission,and the network can still have data centers, remote sites, and Internet connectivity,regardless of what IP version is being used.

WithIPv6,the perimeter design has the same relevance as for IPv4, and mostorganizations can continue to have the “hard, crunchy” exterior and the “soft,squishy” interior networks. The problem is that most organizations put most oftheir effort into securing the perimeter, and they overlook the internal security oftheir environments. If these organizations considered the malicious insider threat,they might rethink the perimeter model and move to a model that has an even layerof security spread throughout. Many of these classic security paradigms still applyto IPv6 networks. When it comes to securing IPv6 networks, the following areas ofan IT environment need to be protected:

Overtime, there will be changes in the way systems communicate with IPv6.Traffic patterns can change from being primarily client/server to being more peer-to-peer in nature. The use of anycastcommunications can add redundancy tocommunications but also make them less deterministic.Mobile IPv6 and tunnelscanchange the perimeter concept because there needs to be trusted nodes outsidethe perimeter. This can transform the perimeter into a more fuzzy and nebulousconcept. Greater use of end-to-end encryption is needed to secure the differentcommunication flows.Therefore, over time, the security architectures for IPv6networks will transform to keep up with the way people communicate.

11

Standard IT security principles still apply when thinking about the security of IPv6networks. Organizations should utilize multiple defensive strategies that supporteach other. Organizations should also have diversity in their defenses so thatdifferent types of protections help protect against multiple types of threats. Yourdefensive mechanisms are only as strong as the weakestlink, so all parts of theprotections should be fortified like a castle. A good example of this concept is tohave a security architecture that has a perimeter and internal controls to not onlymitigate the Internet threats but also the insider threats. Having both defense indepth and diversity of defense is like having “both a belt and suspenders” toprevent you from getting caught with your pants down. If you do not consider bothfor IPv6, you will have a network that is embarrassingly exposed to the elements.

The Cisco Self Defending Network (SDN)can also be a guide for protecting IPv6networks. The SDN philosophies apply to IPv4 and IPv6 networks alike. Theconcepts of integration, collaboration, and adaptability are core capabilities of theself-defending network. Integrated security is the idea that security for networksshould be inherent in the design and not added after the fact. This is very much thecase with IPv6,where many devices have IPsec built in right from the start.

Collaborationbetween many diverse security solutionsmakes the security of theentire system more robust. IPv6 allows this form of collaboration because everynode can have its own address and can easily communicate seamlessly acrossboundaries. Adaptability allows the security systems to respond dynamically to thesituation at hand. IPv6 can provide the ability to communicate in new ways thatcan adapt to the needs of the users while providing security awareness. IPv6 can bethe secure network platform that is the fundamental foundation of the Cisco SelfDefending Network architecture.

The ways to protect IPv6 networks are much the same as those methods used toprotect IPv4 networks. Concepts such as network perimeters, LAN security,remote-site communications and VPNs, infrastructure protection, server farm

protection, and host/client security are all areas of focus for IPv6. The buildingblocks of a Self Defending Network include the following components:

•

Endpoint protection

•

Admission control

•

Infection containment

•

Intelligent correlation andincident response

•

Inline Intrusion Prevention Systems (IPS) and anomaly detection

•

Application security and anti-X defense

12

Chapter :

While not all of these technologies work seamlessly for IPv4 and IPv6, these arethe types of components required for securing either IP version.

Fewbest practices exist for IPv6 deployment. As the Internet communitycontinues to evolve IPv6 solutions, there will be solutions to the problemsdiscovered through testing and trial deployments. IPv6 mailing lists, collaborationgroups, the IETF v6ops working group, and interoperability testing organizationsare deeply involved with gathering information on IPv6 deployment experiences.These organizations are experimenting with the early IPv6 solutions anddocumenting the best ways to implement IPv6. However, there are no currentIETF Best Current Practices (BCP) for IPv6 security. As more is known abouthow IPv6 operates in live networks and more ways are found to secure it, theBCPs will develop.

Securityrisks can be mitigated through adequate training of the IT staff and thesecurity administrators. Network professionals must understand the risks related toIPv6 and ensure that they are installing the correct protection mechanisms.Security policies need to be drafted or updated with the new security issues thatIPv6 brings, and end users need security awareness training to help avoidunknowingly becoming insider threats.

Virtually all organizations rely heavily on their staff and their network securitydevices to protect their critical computer systems. Most organizations usefirewalls, host-based and network-based intrusion prevention systems (IPS),antivirus software, and Security Information Management Systems (SIMS) to helpmonitor security events in this locked-down environment. Companies have spent alot of money trying to secure their computer network infrastructure from invasion.This is primarily because there are weaknesses in the protocols and defects inapplications used on computer networks that can be subverted by maliciousindividuals. While malicious individuals exploit weaknesses in protocols,unknowing individuals help propagate the threats by ignoring corporate securitypolicy, guidelines,and standards.

IPv6security devices need to be purchased when they are available and kept up todate so that when new IPv6 vulnerabilities are discovered, the computer systemsare protected. Organizations are going to need IPv6-capable security productsahead of the deployment of IPv6. Firewalls are pervasive in today’s networks, andthere are several firewall solutions available for IPv6. However, in 2008, manyIPSs and VPN concentrators do not support IPv6. The planning for the migrationto IPv6 has been taking place for several years, but for now, much of the neededfunctionality does not exist. It can take a couple of years for there to be featureparity between IPv4 and IPv6 security products. Therefore, organizations shouldplan to upgrade their current security systems to achieve IPv6 functionality.

13

Instead of focusing on the theoretical security implications of IPv6, you shouldaim to implement the practical practices of securing a network based on theinformation that is available today. No one can yet claim extensive experiencedeploying all the IPv6 security mitigation techniques. For now, we can onlydiscuss what is known to be true, based on limited deployment experiences.However, there is some certainty that the techniques shown in this book areeffective based on the current knowledge of IPv6, testing, and experience securingcomputer networks.

Summary

Effective security involves finding that perfect balance between protecting an assetand handling the extra burden security adds to doing business. Theimplementation of security should match the value of your assets and theacceptable level of risk. You should craft a security strategy that matches yourlevel of risk. When it comes to IPv6, this means adjusting the security measures tofit the changes related to using a new network layer protocol. First you mustunderstand the differences between IPv4 and IPv6 and know how those deltashave security implications. Next you must understand what vulnerabilities in IPv6you must address. The final step is to implement security mitigation techniques toprovide adequate coverage for your environment.

Even though the guidelines in this book are based on sound principles, they are notnecessarily considered time-tested best practices. Just as IPv6 is in its early stages,the methods of securing IPv6 are rapidly changing. Because few IPv6 attacksexist, not all the future attacks are fully understood. Therefore, the guidelines inthis book need to be customized to meet your organization’sneeds. Please do notjust implement every command listed in this book. Rather, you should read thebook, understand the threats, and then embark on using the correct techniques tosecure your own IPv6 network.